Just to add some info:
In the past few days a couple of people gathered in Berlin to discuss reproducible builds. There were some people from the distributions quoted that they don't show much interest, so maybe there will be more movement than this article suggests.
My personal take is that I think there are a few more pieces that are needed for really trustworthy software distribution.
I tried to get a grip on that with the idea that we have a chain "upstream repo" - "usptream tarball" - "potentially insecure transport" - "distribution compile" - "package" - "user download".
Reproducible builds basically fix the tarball to package way, but there's a lot more. E.g. how does a repo become a tarball? Who's checking that? And how does user a know he has the same software as user b? (This is mentioned at the end of the article with the comments of Joanna Rutkowska. Others have discussed basically the same ideas under the term "binary transparency".)
The Debian maintainers then sign those tarballs before uploading them to Debian.
Verification of the repo -> tarball process is manually done by some Debian maintainers, not everyone does that though.